Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31/12/2023, 00:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
218c7421b6efda2d6fd250180c5b43b8.exe
Resource
win7-20231215-en
5 signatures
150 seconds
General
-
Target
218c7421b6efda2d6fd250180c5b43b8.exe
-
Size
153KB
-
MD5
218c7421b6efda2d6fd250180c5b43b8
-
SHA1
094a3f9d1b4c3710c7ec5175f98fab8cc58c2ba1
-
SHA256
01baf1d8b42b779575cc89dd4600d488a1b70d4957329f47f97e9cee2b12d430
-
SHA512
37f7980165273c74f87c7e0d93b0dc215f76f338801d6963a7fec106ca3551d5f279cd5d1f16cdced57218610b050f58a54af8f01ada64602ebba11b862db446
-
SSDEEP
1536:p8nXOBSKn1kfZ0I58RVun1AZj7wPnNOJLMEJFtiL0wkej2qRyK6iiyHOLA59TA5g:fBnsZ0I58RVY1AgeXJA0Y2TthLA590u
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 4744 rundll32.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ccf3a51-415c-4f2f-beab-65f09b80441f} rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0ccf3a51-415c-4f2f-beab-65f09b80441f}\ = "3520000" rundll32.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\tuvVMfdd.dll 218c7421b6efda2d6fd250180c5b43b8.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\WOW6432Node\CLSID rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ccf3a51-415c-4f2f-beab-65f09b80441f} rundll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ccf3a51-415c-4f2f-beab-65f09b80441f}\InprocServer32 rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ccf3a51-415c-4f2f-beab-65f09b80441f}\InprocServer32\ = "C:\\Windows\\SysWow64\\tuvVMfdd.dll" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0ccf3a51-415c-4f2f-beab-65f09b80441f}\InprocServer32\ThreadingModel = "free" rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4904 wrote to memory of 4744 4904 218c7421b6efda2d6fd250180c5b43b8.exe 16 PID 4904 wrote to memory of 4744 4904 218c7421b6efda2d6fd250180c5b43b8.exe 16 PID 4904 wrote to memory of 4744 4904 218c7421b6efda2d6fd250180c5b43b8.exe 16
Processes
-
C:\Users\Admin\AppData\Local\Temp\218c7421b6efda2d6fd250180c5b43b8.exe"C:\Users\Admin\AppData\Local\Temp\218c7421b6efda2d6fd250180c5b43b8.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\rundll32.exerundll32 "C:\Windows\system32\tuvVMfdd.dll",a2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:4744
-